Airbnb privacy flaw makes it easy for hackers to work out a host's personal details

Harvard students say publicly available information is enough for criminals to work out host addresses.

Harvard computer science students have found a way to identify the full names and addresses of Airbnb hosts - a major privacy flaw that exposes millions of properties to potential crimesReuters

Harvard computer science undergraduate students have figured out a way to precisely determine the address and personal details for Airbnb hosts, which would make it simple to locate empty homes to burgle.

Airbnb claims that its system guarantees the privacy of all home owners – known as "hosts" – by only showing the host's first name and the rough location of their property on a map.

At the same time, the house-sharing platform aims to make sure the people who book places are always held accountable for their actions, by making them verify identities by showing some form of official government-approved identification and connecting their social media profiles.

But if you're a criminal and you want to pinpoint houses to burgle that will definitely be empty, the information made publicly available by Airbnb is more than enough to figure out the personal details of actual Airbnb hosts and property addresses, without the need to make a booking and identify yourself to the service.

Using electoral roll data

Harvard undergrads Aron Szanto, Neel Mehta and Emily Houlihan have designed a computer algorithm that took the publicly available information about hosts and properties in the state of Wisconsin and compared it to the state's electoral roll.

In the US, all 50 states are required to make voter data public, and the records include details relating to an individual's name, address, phone number, email address and the party they voted for.

The students found that their algorithm could easily identify and locate Airbnb hosts from the voter data and Airbnb information provided. Let's say your Airbnb host name is Dave, and you're renting out an apartment in Whitefish Bay, a suburb in the city of Milwaukee, Wisconsin.

When you book a place to stay, Airbnb provides you with a map showing the rough location of the property within a large green circle – this means that the host's home is located within a 500m radius of the epicentre of the circle on the map.

Find an Airbnb to burgle

Airbnb shows users a map with a green circle showing roughly the area where the property in the listing is locatedAron Szanto/Medium

If you know where the green circle is, then you can calculate a rough estimate of the latitude and longitude of the property's location using a geocoder.

The algorithm works by looking for all the people named Dave who are known to live in the areas close to the latitude and longitude, and then calculating how far each Dave lives to the geographic coordinate.

The Airbnb listings also include photos of what the front of the properties look like, so the students picked the addresses closest to the geographic coordinate and then started looking for their homes by typing the postcodes into Google Street view to see if the Streetview images matched the photos on the listings.

Out of the 84 properties they tested the algorithm on, they were able to successfully identify the correct host and address for 40% of the properties on Airbnb.

"If our sample was representative, that means that you could find the full name and address of 1.2 million of the 3 million Airbnb hosts out there," Szanto wrote in a blog post on Medium.

"Here's how a bad guy with some technical chops could rob a house. They could find Airbnb listings in their area that were available for tonight — especially the 'instantly bookable' ones, since that feature is usually used by owners who are on vacation.

"Then they could use this algorithm to figure out the address of a target house. Since no one will be home, the bad guy can rob the house without anyone knowing it was them."

Could this be possible in the UK?

The UK has very strict data collection laws, and since 2002, registered voters are allowed to opt out of having their data sold to third-party advertising and marketing firms. A lot of the free electoral voter databases on the internet are compiled using data from prior to 2002, or using data from voters who didn't opt out.

So while it wouldn't be as successful as the US example demonstrated by Harvard, with a dataset of British voters' names and addresses, it would be likely that some voter data information would correspond to an Airbnb host listing in the UK.

Airbnb's Global Head of Trust and Risk Management Nick Shapiro told IBTimes UK: "Protecting the safety, security, and privacy of our hosts — as well as our entire global community — is our top priority, and we are constantly strengthening our systems to ensure they are as secure as possible.

"Our risk team is currently reviewing the issues raised in the post and if need be, we will work to address them quickly."